The present invention inter alia relates to a method and system for testing the robustness of a web service against malicious attacks.
Over the last decade, the Internet has become a service-oriented platform. Nowadays, many web-based services are provided via one or more application programming interfaces (APIs) that are accessible via hypertext transfer protocol (HTTP) for execution on one or more computers. Such a service may be accessible via a layer of one or more service oriented architecture (SOA) interceptors, e.g. to validate the credentials of the client. Information between the web service and a client is typically exchanged using suitable protocols, such as the simple object access protocol (SOAP) or representational state transfers (REST) between the server and client.
As such web services require access to confidential or sensitive information, e.g. stored in a database, such services can become the target of malicious attacks in an attempt to obtain access to this information. It is therefore of paramount importance that the web service is designed in a manner that can withstand such attacks. In other words, it is important that the web service is robust and secure.
To this end, solutions are available to test the security of a web service. Such solutions typically simulate an attack on the web service and the level of success of the attack provides valuable insights into the vulnerabilities of the tested web services, which insights can be used to improve the robustness of the web service.
However, it is not straightforward to design a suitable test strategy for such tests. If the test strategy is not properly aligned with the web service infrastructure, the simulated attacks may not sufficiently penetrate the web service and may not expose its vulnerabilities. This can lead to insecure web services being released, which can have serious consequences as will be readily understood.
US 2012/0059919 A1 discloses a method of testing web services using SOAP or REST protocols with a web service testing framework. The protocol used by the web service can be determined from packet header information. However, the choice of protocol provides limited information about the web service structure, and gives little guidance as to how to structure the web service test routines in order to optimize the coverage and/or accuracy of the test. There exists a need to further improve the methodology of web service test design.